Blog Posts Tagged with "Security Strategies"

I know the Chinese recently held a military exercise under constrained conditions, they even advertised it ex post facto. Why don’t we? I would see that as the perfect opportunity to increase the cross-pollination, knowledge and appreciation between Electronic Warfare and cyber...

Increasingly, both the armed forces and businesses are practicing the concept of “active defense,” a military term that refers to efforts to thwart an attack by attacking the attackers. However popular it has become, active defense is an alarming trend...

Configuration, Change and Release Management is crucial to being an effective information security organization in an enterprise large, or small. If you don't have a handle on the rate of change in your enterprise, you have absolutely no hope of effectively securing anything...

Recently in New York city we hosted a CISO-level event where we discussed various issues experienced during the life of an enterprise security program. CISOs brought up various topics from budgeting to being overwhelmed with constantly evolving threats - but one in particular caught my attention...

In the corporate world, we talk a lot about corporate goals & objectives. In the US Government, you hear a lot about “The Mission,” which is the unifying goal that ties an agency (or multiple agencies) together in a shared sense of purpose. I’m a big believer in connecting our actions as information security professionals to The Mission...

We’re going to use the phrase “Connecting security to the business” with almost annoying frequency because it can change the way the business views security, and vice versa. This begs a primer of sorts: What do we mean by all this “connecting security to the business” talk?

If we are charged with designing, architecting, implementing, deploying, integrating, training and supporting security technology, processes and policies within our organization, we might discover that this work is really an art more than a science...

Management sometimes assumes that when they have identified and summarized the top risks to their organization through a Strategic Risk Assessment, that they have implemented ERM. This is simply not the case. Strategic Risk Assessment is an important component of ERM and usually a starting point, but not a final destination...

As the complexity of attacks grow at a rate outstripping the pace of Moores Law, defenders have to take up a more nuanced approach to protecting their environments. Reliance on technical solutions alone is not tenable, you have to look at the creature behind the keyboard to get a better picture of the attack...

Billions of dollars and millions of identities are at stake every day. In the past, security professionals thought firewalls, Secure Sockets Layer, patching, and privacy policies were enough to protect websites from hackers. Today, we know better. Whatever your industry — you should have consistent testing...

The Swiss are standing up a cyber command and they say their cyber warriors will be armed. Why wouldn’t this work in the US? First, we don’t trust our people as much as the Swiss. That is the nature of our culture, especially in the US. We are more paranoid, cynical and negative. We tend to micromanage...

This typical reaction I get in the US is many organizations see compliance as a “tax” and try to get away with doing the bare minimum. How do you and your organizations view compliance? Do you see it as a four-letter word, a nuisance, or as a step along the path to more effective security?

In far too many organizations leaders and practitioners tell me that the role of Information Security is to protect the organization. Accepting this thinking got us into the predicament where are today, where security isn't everyone's job and only Infosec is thinking about security. This couldn't be more wrong...

"The vulnerabilities inherent in social media, ubiquitous encryption and malicious software that has the ability to change form and target enroute, retaining access and the freedom to maneuver in cyberspace will be essential for us to defend ourselves and influence the nature of future conflict..."

I had a hard time believing that "going faster" could be more secure. It was difficult to wrap my brain around how deploying code in more rapid succession could mean that the code deployed could actually be safer... but I believe that to be true now. The one caveat here is "if it's done right"...

Devices aren’t the main problem in a BYOD strategy: employees are. That’s why BYOD is not just a technical issue. It needs a holistic approach that includes HR, data security and legal stakeholders. Organizations adopting a BYOD strategy should put in place a strategy that includes policies and technical constraints...